cvs commit: www/en send-pr.sgml www/en/cgi Makefile
confirm-code.cgi sendpr-code.cgi
Simon L. Nielsen
simon at FreeBSD.org
Sun Dec 4 16:55:02 GMT 2005
On 2005.12.04 16:18:40 +0000, Ceri Davies wrote:
> ceri 2005-12-04 16:18:40 UTC
>
> FreeBSD doc repository
>
> Modified files:
> en send-pr.sgml
> en/cgi Makefile confirm-code.cgi
> Removed files:
> en/cgi sendpr-code.cgi
> Log:
> Refactor the "confirmation code" stuff into a general purpose script.
>
> confirm-code.cgi contains a preconfigured list of databases and their
> parameters. When a request comes in, the database in the request's 'db'
> parameter is checked for validity, and a code is generated, stored in
> the appropriate database and returned.
>
> Use this new script in send-pr.sgml and remove sendpr-code.cgi which is
> now superceded.
[...]
> | --- www/en/cgi/confirm-code.cgi 2005/11/11 08:58:06 1.5
> | +++ www/en/cgi/confirm-code.cgi 2005/12/04 16:18:40 1.6
[...]
> | @@ -22,52 +25,81 @@ my @availchars = qw(A B C D E F G H J K
> | $pnmcat = "/usr/local/bin/pnmcat";
> | $pnmtopng = "/usr/local/bin/pnmtopng";
> | $pnmdatadir = "../gifs/";
> | -$dbpath = "/tmp/sendpr-code.db";
> | -$expiretime = 2700; # seconds until code expires
> | +$expiretime = 0; # Default for the Expires: header
> | ############################################
> |
> | +# The code databases that we know about. If a query comes in for
> | +# anything else, we return a zero byte "image" (rather than an image
> | +# with a rude word in, which was tempting).
> | +
> | +%db = (
> | +# The querypr one is not used, but stands as an example.
> | +# querypr => {
> | +# path => '/tmp/querypr-code.db',
> | +# lifespan => 2700,
> | +# },
> | + sendpr => {
> | + path => '/tmp/sendpr-code.db',
> | + lifespan => 2700,
> | + },
> | +);
Could we put the database somewhere else, IE. not in a world writeable
directory, so we don't have obvious potential temporary file
vulnerabilities?
While the real problem is very small (since so few people have access
to www) I would on principle greatly prefer to have the database
somewhere else, e.g. under /usr/local/www/var/confirm-code ?
I can create the directory and set apropriate permimssions for this to
work.
--
Simon L. Nielsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-doc/attachments/20051204/4a101c79/attachment.bin
More information about the cvs-doc
mailing list